This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Exchange 2016 Mailbox Servers in the DMZ

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Exchange 2016 Mailbox Servers in the DMZ

jambulo
L0 Member

‎01-11-2017 11:46 AM

Has anyone had any issues deploying Exchange 2016 servers in a "DMZ" behind the Palo Alto firewall?

 

Microsoft does not support this configuration and their preferred architecture is to put the Exchange servers in the internal network.  Because these Exchange servers are public facing, we are pushing to have the servers set up in our DMZ.

2 people had this problem.
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎01-11-2017 02:40 PM

Hello,

What you are attempting to do is the right approach, in my opinion. The logs are your best friend when it comes to this. Check for any traffic not getting to where it needs to go. I always put a DENYALL rule as the last rule so I can see clearly if it is being hit by any traffic and adjust or add rules above it.

 

Hope this helps.

BPry
Cyber Elite
Cyber Elite
In response to OtakarKlier

‎01-12-2017 09:34 AM

Microsoft doesn't support it because it's a time consuming thing to setup; as long as you have the time to monitor the logs and open the ports that are actually needed you really aren't going to run into any issues. I'm actually not sure why Microsoft really discorages this configuration, I assume because it causes an issue with setting up autodiscover if you don't have the right ports open? 

dougwickle
L1 Bithead
In response to BPry

‎01-13-2017 01:41 PM

I'm sure they advise against it because they don't want to have their support folks or system level contractors have to worry about something obstructing access.  There's also the argument of local Windows firewalls.  I personally disagree with the idea of not putting it a segregated environment--especially because as of 2016 Outlook Web Access also runs on the same server.  As long as the correct ports (and app-ids) are defined it should work.

  • 5122 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks